i've got an app i'm trying to build for my division. i'd like to take advantage of zope's security model to control access to various parts of the site. seems straightforward, but for one wrinkle. i need to authenticate users via a remote authentication service run by the company's HR organization. my organization explicitly does not want to be maintaining our own users and passwords, so i'd like to automatically create users as needed, rather than manually via the zope management interface. i've built some test objects that do the authentication, but don't know, once i've figured out who someone is, how to fit this into zope's notion of users and roles. here's how the authentication works: assume the HR site is: foo.att.com/authenticate?return=mysite.att.com i redirect to that page, the user sees a login screen. he enters login/password, gets redirected back to mysite.att.com i use an FSSession to keep track of where to go next, and can find out who the user is via cookies set by the HR site. at this point, i assume that what i need is to somehow tell zope which user this is (creating one if needed), an that after that point everything works as if the normal mechanism had been used. can anyone give me some clue how to do this? also, if my general approach to this scheme is off base, i'd appreciate being told so. thanks -- Garry Hodgson Every night garry@sage.att.com a child is born Software Innovation Services is a Holy Night. AT&T Labs - Sophia Lyon Fahs